TLS Error Message

[wtellis]

Hi,

I'm having trouble using the TLS Store SCP in DICOMscope 3.6. I have it configured to require client certificate verification (PeerAuthentication = REQUIRE). I'm using an internally developed Java DICOM toolkit with JSSE to send the images. When my SCU tries to start a TLS connection, DICOMscope drops the connection with the error "DUL secure transport layer: no certificate returned." Using OpenSSL I have confirmed my client certificate is being sent and I have placed the CA cert for the issuer of my client certificate in the cacert directory (though I can't seem to figure out how to make sure DICOMscope has found the CA cert). Also I did some testing using a self-signed client certificate and everything works fine. Does DICOMscope support client certificates that are not self-signed and if so, what does this error message I'm getting mean?

Thanks,

Wyatt

[Marco Eichelberg]

DICOMscope supports client certificates that are not self-signed - the sample certificates provided with DICOMscope are not self signed.
Installing a CA certificate requires copying the certificate file into the cacert directory and renaming it according to OpenSSL's hash conventions. The following openssl command line determines the file name for a CA file "ca_cert.pem":

Code: Select all

openssl x509 -hash -noout -in ca_cert.pem

The extension should be .0 (zero) unless this file name already exists, then increase the counter to .1 etc.
Regarding the precise meaning of the error message "No certificate returned" you will have to check the OpenSSL documentation since DICOMscope at this point only forwards the error message generated by the underlying OpenSSL toolkit.